circle-ir 3.27.1 → 3.29.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/configs/sinks/path.yaml +6 -4
- package/dist/analysis/config-loader.d.ts.map +1 -1
- package/dist/analysis/config-loader.js +76 -54
- package/dist/analysis/config-loader.js.map +1 -1
- package/dist/analysis/passes/taint-matcher-pass.js +1 -1
- package/dist/analysis/passes/taint-matcher-pass.js.map +1 -1
- package/dist/analysis/taint-matcher.d.ts +2 -2
- package/dist/analysis/taint-matcher.d.ts.map +1 -1
- package/dist/analysis/taint-matcher.js +27 -8
- package/dist/analysis/taint-matcher.js.map +1 -1
- package/dist/analyzer.d.ts.map +1 -1
- package/dist/analyzer.js +270 -253
- package/dist/analyzer.js.map +1 -1
- package/dist/browser/circle-ir.js +341 -277
- package/dist/core/circle-ir-core.cjs +118 -63
- package/dist/core/circle-ir-core.js +118 -63
- package/dist/core/index.d.ts +1 -1
- package/dist/core/index.d.ts.map +1 -1
- package/dist/core/index.js +1 -1
- package/dist/core/index.js.map +1 -1
- package/dist/core/parser.d.ts +19 -1
- package/dist/core/parser.d.ts.map +1 -1
- package/dist/core/parser.js +53 -2
- package/dist/core/parser.js.map +1 -1
- package/dist/types/config.d.ts +8 -1
- package/dist/types/config.d.ts.map +1 -1
- package/package.json +1 -1
package/configs/sinks/path.yaml
CHANGED
|
@@ -52,9 +52,10 @@
|
|
|
52
52
|
"cwe": "CWE-022",
|
|
53
53
|
"severity": "medium",
|
|
54
54
|
"arg_positions": [
|
|
55
|
-
0
|
|
55
|
+
0,
|
|
56
|
+
1
|
|
56
57
|
],
|
|
57
|
-
"note": "File object creation - check usage"
|
|
58
|
+
"note": "File object creation - check usage. arg 1 covers File(parent, child) overload (CVE-2018-8041 Camel mail)"
|
|
58
59
|
},
|
|
59
60
|
{
|
|
60
61
|
"method": "delete",
|
|
@@ -424,9 +425,10 @@
|
|
|
424
425
|
"cwe": "CWE-22",
|
|
425
426
|
"severity": "high",
|
|
426
427
|
"arg_positions": [
|
|
427
|
-
0
|
|
428
|
+
0,
|
|
429
|
+
1
|
|
428
430
|
],
|
|
429
|
-
"note": "Auto-mined from CVE analysis"
|
|
431
|
+
"note": "Auto-mined from CVE analysis. arg 1 covers File(parent, child) overload (CVE-2018-8041)"
|
|
430
432
|
},
|
|
431
433
|
{
|
|
432
434
|
"method": "openStream",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA6Z1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,
|
|
1
|
+
{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA6Z1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EA6nCtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA6LhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
|
|
@@ -451,7 +451,9 @@ export const DEFAULT_SINKS = [
|
|
|
451
451
|
{ method: 'ProcessBuilder', class: 'constructor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
452
452
|
{ method: 'command', class: 'ProcessBuilder', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
453
453
|
// Commons Exec
|
|
454
|
-
|
|
454
|
+
// Note: bare class 'Executor' removed — it collided with java.util.concurrent.Executor
|
|
455
|
+
// (Executor.execute(Runnable) is not command injection). Apache Commons Exec users
|
|
456
|
+
// typically declare DefaultExecutor explicitly, so we match that instead. See issue #14.
|
|
455
457
|
{ method: 'execute', class: 'DefaultExecutor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
456
458
|
{ method: 'CommandLine', class: 'constructor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
457
459
|
{ method: 'parse', class: 'CommandLine', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
@@ -519,8 +521,8 @@ export const DEFAULT_SINKS = [
|
|
|
519
521
|
{ method: 'popen', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
520
522
|
{ method: 'system', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
521
523
|
// Apache Commons Exec
|
|
522
|
-
|
|
523
|
-
{ method: 'setCommandline', class: '
|
|
524
|
+
// Note: bare class 'Executor' removed (see comment above) — DefaultExecutor matched explicitly.
|
|
525
|
+
{ method: 'setCommandline', class: 'DefaultExecutor', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
524
526
|
{ method: 'parse', class: 'CommandLine', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
525
527
|
{ method: 'addArgument', class: 'CommandLine', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
526
528
|
// Process-related utilities
|
|
@@ -529,7 +531,10 @@ export const DEFAULT_SINKS = [
|
|
|
529
531
|
{ method: 'redirectOutput', class: 'ProcessBuilder', type: 'command_injection', cwe: 'CWE-78', severity: 'medium', arg_positions: [0] },
|
|
530
532
|
{ method: 'redirectInput', class: 'ProcessBuilder', type: 'command_injection', cwe: 'CWE-78', severity: 'medium', arg_positions: [0] },
|
|
531
533
|
// Path Traversal (CWE-22)
|
|
532
|
-
|
|
534
|
+
// File: covers both File(String pathname) and File(parent, child). The 2-arg
|
|
535
|
+
// overload's child argument carries CVE-2018-8041 (Camel mail Content-Disposition
|
|
536
|
+
// filename written to disk).
|
|
537
|
+
{ method: 'File', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1] },
|
|
533
538
|
{ method: 'FileInputStream', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
534
539
|
{ method: 'FileOutputStream', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
535
540
|
{ method: 'FileReader', class: 'constructor', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
@@ -1141,11 +1146,14 @@ export const DEFAULT_SINKS = [
|
|
|
1141
1146
|
{ method: 'spawn', class: 'child_process', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1142
1147
|
{ method: 'spawnSync', class: 'child_process', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1143
1148
|
// Also match without receiver (destructured imports: const { exec } = require('child_process'))
|
|
1149
|
+
// `exec` is intentionally classless: catches Node.js child_process.exec AND
|
|
1150
|
+
// Java Runtime.exec (via `r.exec()` where heuristic can't resolve r → Runtime).
|
|
1144
1151
|
{ method: 'exec', type: 'command_injection', cwe: 'CWE-78', severity: 'high', arg_positions: [0] },
|
|
1145
|
-
|
|
1146
|
-
{ method: '
|
|
1147
|
-
{ method: '
|
|
1148
|
-
{ method: '
|
|
1152
|
+
// `execSync`/`spawn`/`spawnSync`/`execFile` are Node-specific — language-scope them.
|
|
1153
|
+
{ method: 'execSync', type: 'command_injection', cwe: 'CWE-78', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1154
|
+
{ method: 'spawn', type: 'command_injection', cwe: 'CWE-78', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1155
|
+
{ method: 'spawnSync', type: 'command_injection', cwe: 'CWE-78', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1156
|
+
{ method: 'execFile', type: 'command_injection', cwe: 'CWE-78', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1149
1157
|
// Node.js File System (path traversal)
|
|
1150
1158
|
{ method: 'readFile', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1151
1159
|
{ method: 'readFileSync', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
@@ -1158,12 +1166,15 @@ export const DEFAULT_SINKS = [
|
|
|
1158
1166
|
{ method: 'createReadStream', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1159
1167
|
{ method: 'createWriteStream', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1160
1168
|
// Node.js SQL (mysql, pg, sqlite, etc.)
|
|
1161
|
-
|
|
1162
|
-
|
|
1163
|
-
{ method: 'query', class: '
|
|
1169
|
+
// Language-scoped: generic class names `Pool`/`Connection`/`Client` substring-match
|
|
1170
|
+
// unrelated Java identifiers like `cachedThreadPool`, `dbConnection`. See issue #14.
|
|
1171
|
+
{ method: 'query', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1172
|
+
{ method: 'query', class: 'Pool', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1173
|
+
{ method: 'query', class: 'Client', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1164
1174
|
// Note: classless { method: 'query' } removed — too many FPs (UriComponentsBuilder.query(), etc.)
|
|
1165
1175
|
// SQL query calls are covered by class-specific patterns above (Connection, Pool, Client, JdbcTemplate)
|
|
1166
|
-
|
|
1176
|
+
// Note: `raw` is shared with Python (Django ORM) — scoped to JS+TS to avoid leaking.
|
|
1177
|
+
{ method: 'raw', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1167
1178
|
// Browser DOM XSS sinks
|
|
1168
1179
|
{ method: 'setAttribute', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [1] },
|
|
1169
1180
|
// Express.js XSS (response methods)
|
|
@@ -1173,7 +1184,7 @@ export const DEFAULT_SINKS = [
|
|
|
1173
1184
|
{ method: 'html', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1174
1185
|
{ method: 'render', class: 'Response', type: 'xss', cwe: 'CWE-79', severity: 'medium', arg_positions: [1] },
|
|
1175
1186
|
// Node.js Code Injection (eval, vm, etc.)
|
|
1176
|
-
{ method: 'eval', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1187
|
+
{ method: 'eval', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1177
1188
|
{ method: 'Function', class: 'constructor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1178
1189
|
{ method: 'runInContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
1179
1190
|
{ method: 'runInNewContext', class: 'vm', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
|
|
@@ -1189,7 +1200,7 @@ export const DEFAULT_SINKS = [
|
|
|
1189
1200
|
{ method: 'get', class: 'axios', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1190
1201
|
{ method: 'post', class: 'axios', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1191
1202
|
{ method: 'request', class: 'axios', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1192
|
-
{ method: 'fetch', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1203
|
+
{ method: 'fetch', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0], languages: ['javascript', 'typescript'] },
|
|
1193
1204
|
{ method: 'request', class: 'http', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1194
1205
|
{ method: 'get', class: 'http', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1195
1206
|
{ method: 'request', class: 'https', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
@@ -1218,10 +1229,12 @@ export const DEFAULT_SINKS = [
|
|
|
1218
1229
|
{ method: 'check_call', class: 'subprocess', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1219
1230
|
{ method: 'Popen', class: 'subprocess', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1220
1231
|
// Python Code Injection
|
|
1221
|
-
|
|
1222
|
-
|
|
1223
|
-
{ method: '
|
|
1224
|
-
{ method: '
|
|
1232
|
+
// Language-scoped: classless `exec`/`eval`/`compile` collide with Java/JS builtins
|
|
1233
|
+
// and Java util.concurrent (e.g. Executor.execute / future.compile).
|
|
1234
|
+
{ method: 'eval', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['python'] },
|
|
1235
|
+
{ method: 'exec', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0], languages: ['python'] },
|
|
1236
|
+
{ method: 'compile', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0], languages: ['python'] },
|
|
1237
|
+
{ method: '__import__', type: 'code_injection', cwe: 'CWE-94', severity: 'high', arg_positions: [0], languages: ['python'] },
|
|
1225
1238
|
// Python Deserialization
|
|
1226
1239
|
{ method: 'loads', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
1227
1240
|
{ method: 'load', class: 'pickle', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
@@ -1229,36 +1242,39 @@ export const DEFAULT_SINKS = [
|
|
|
1229
1242
|
{ method: 'load', class: 'yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
1230
1243
|
{ method: 'loads', class: 'yaml', type: 'deserialization', cwe: 'CWE-502', severity: 'critical', arg_positions: [0] },
|
|
1231
1244
|
// Python SQL Injection
|
|
1232
|
-
|
|
1233
|
-
|
|
1234
|
-
{ method: '
|
|
1235
|
-
{ method: '
|
|
1245
|
+
// Language-scoped: classless `execute`/`raw` collide with Java util.concurrent
|
|
1246
|
+
// (Executor.execute, ThreadPool.execute) and other languages. See issue #14.
|
|
1247
|
+
{ method: 'execute', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['python'] },
|
|
1248
|
+
{ method: 'executemany', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['python'] },
|
|
1249
|
+
{ method: 'raw', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['python'] },
|
|
1250
|
+
{ method: 'extra', type: 'sql_injection', cwe: 'CWE-89', severity: 'high', arg_positions: [0], languages: ['python'] },
|
|
1236
1251
|
// Python Path Traversal
|
|
1237
|
-
|
|
1252
|
+
// Language-scoped: classless `open` collides with Java I/O / JS DOM.
|
|
1253
|
+
{ method: 'open', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0], languages: ['python'] },
|
|
1238
1254
|
{ method: 'remove', class: 'os', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1239
1255
|
{ method: 'unlink', class: 'os', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1240
1256
|
{ method: 'rmdir', class: 'os', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1241
1257
|
{ method: 'rmtree', class: 'shutil', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0] },
|
|
1242
|
-
{ method: 'send_file', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1258
|
+
{ method: 'send_file', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0], languages: ['python'] },
|
|
1243
1259
|
// Python XSS / SSTI
|
|
1244
|
-
{ method: 'render_template_string', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1245
|
-
{ method: 'Markup', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1246
|
-
{ method: 'mark_safe', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0] },
|
|
1260
|
+
{ method: 'render_template_string', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['python'] },
|
|
1261
|
+
{ method: 'Markup', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['python'] },
|
|
1262
|
+
{ method: 'mark_safe', type: 'xss', cwe: 'CWE-79', severity: 'high', arg_positions: [0], languages: ['python'] },
|
|
1247
1263
|
// Python SSRF
|
|
1248
1264
|
{ method: 'get', class: 'requests', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1249
1265
|
{ method: 'post', class: 'requests', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1250
1266
|
{ method: 'urlopen', class: 'urllib.request', type: 'ssrf', cwe: 'CWE-918', severity: 'high', arg_positions: [0] },
|
|
1251
1267
|
// Python Open Redirect
|
|
1252
|
-
{ method: 'redirect', type: 'open_redirect', cwe: 'CWE-601', severity: 'medium', arg_positions: [0] },
|
|
1268
|
+
{ method: 'redirect', type: 'open_redirect', cwe: 'CWE-601', severity: 'medium', arg_positions: [0], languages: ['python'] },
|
|
1253
1269
|
// Python XPath Injection
|
|
1254
|
-
{ method: 'xpath', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1270
|
+
{ method: 'xpath', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0], languages: ['python'] },
|
|
1255
1271
|
{ method: 'find', class: 'etree', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1256
1272
|
{ method: 'findall', class: 'etree', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1257
1273
|
{ method: 'iterfind', class: 'etree', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1258
1274
|
{ method: 'XPath', class: 'lxml', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1259
1275
|
// elementpath library (XPath 2.0/3.0)
|
|
1260
1276
|
{ method: 'select', class: 'elementpath', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [1] },
|
|
1261
|
-
{ method: 'select', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1277
|
+
{ method: 'select', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0], languages: ['python'] },
|
|
1262
1278
|
{ method: 'iter_select', class: 'elementpath', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [1] },
|
|
1263
1279
|
{ method: 'Selector', class: 'elementpath', type: 'xpath_injection', cwe: 'CWE-643', severity: 'high', arg_positions: [0] },
|
|
1264
1280
|
// Python XXE
|
|
@@ -1350,36 +1366,42 @@ export const DEFAULT_SINKS = [
|
|
|
1350
1366
|
{ method: 'arg', class: 'Command', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1351
1367
|
{ method: 'args', class: 'Command', type: 'command_injection', cwe: 'CWE-78', severity: 'critical', arg_positions: [0] },
|
|
1352
1368
|
// Rust SQL Injection (sqlx, diesel, rusqlite, tokio-postgres)
|
|
1353
|
-
|
|
1354
|
-
|
|
1355
|
-
{ method: 'query', class: '
|
|
1356
|
-
{ method: 'execute', class: '
|
|
1357
|
-
{ method: '
|
|
1358
|
-
{ method: '
|
|
1359
|
-
{ method: '
|
|
1360
|
-
{ method: '
|
|
1361
|
-
{ method: '
|
|
1369
|
+
// Language-scoped: generic class names `Pool`/`Connection`/`Client` substring-match
|
|
1370
|
+
// unrelated Java identifiers (cachedThreadPool, dbConnection). See issue #14.
|
|
1371
|
+
{ method: 'query', class: 'Client', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['rust'] },
|
|
1372
|
+
{ method: 'execute', class: 'Client', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['rust'] },
|
|
1373
|
+
{ method: 'query', class: 'Pool', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['rust'] },
|
|
1374
|
+
{ method: 'execute', class: 'Pool', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['rust'] },
|
|
1375
|
+
{ method: 'sql_query', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['rust'] },
|
|
1376
|
+
{ method: 'raw_sql', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['rust'] },
|
|
1377
|
+
{ method: 'execute', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['rust'] },
|
|
1378
|
+
{ method: 'query_row', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['rust'] },
|
|
1379
|
+
{ method: 'prepare', class: 'Connection', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['rust'] },
|
|
1362
1380
|
// sqlx::query macro — use class-specific pattern
|
|
1363
1381
|
{ method: 'query', class: 'sqlx', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0] },
|
|
1364
1382
|
// rusqlite specific
|
|
1365
|
-
|
|
1366
|
-
|
|
1367
|
-
{ method: '
|
|
1383
|
+
// Language-scoped: classless `execute`/`prepare`/`query_map` collide with
|
|
1384
|
+
// Java util.concurrent (Executor.execute, ExecutorService) and other languages.
|
|
1385
|
+
{ method: 'prepare', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['rust'] },
|
|
1386
|
+
{ method: 'execute', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['rust'] },
|
|
1387
|
+
{ method: 'query_map', type: 'sql_injection', cwe: 'CWE-89', severity: 'critical', arg_positions: [0], languages: ['rust'] },
|
|
1368
1388
|
// Rust Path Traversal
|
|
1369
1389
|
{ method: 'open', class: 'File', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1370
1390
|
{ method: 'create', class: 'File', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1371
|
-
|
|
1372
|
-
|
|
1373
|
-
{ method: '
|
|
1374
|
-
{ method: '
|
|
1375
|
-
{ method: '
|
|
1376
|
-
{ method: '
|
|
1377
|
-
{ method: '
|
|
1378
|
-
{ method: '
|
|
1379
|
-
{ method: '
|
|
1380
|
-
{ method: '
|
|
1381
|
-
{ method: '
|
|
1382
|
-
{ method: '
|
|
1391
|
+
// Language-scoped: classless std::fs helpers collide with Java/JS method names
|
|
1392
|
+
// (write, copy, rename, metadata, etc.) See issue #14.
|
|
1393
|
+
{ method: 'read_dir', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0], languages: ['rust'] },
|
|
1394
|
+
{ method: 'remove_file', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0], languages: ['rust'] },
|
|
1395
|
+
{ method: 'remove_dir', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0], languages: ['rust'] },
|
|
1396
|
+
{ method: 'remove_dir_all', type: 'path_traversal', cwe: 'CWE-22', severity: 'critical', arg_positions: [0], languages: ['rust'] },
|
|
1397
|
+
{ method: 'copy', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1], languages: ['rust'] },
|
|
1398
|
+
{ method: 'rename', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0, 1], languages: ['rust'] },
|
|
1399
|
+
{ method: 'write', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0], languages: ['rust'] },
|
|
1400
|
+
{ method: 'read_to_string', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0], languages: ['rust'] },
|
|
1401
|
+
{ method: 'create_dir', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0], languages: ['rust'] },
|
|
1402
|
+
{ method: 'create_dir_all', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0], languages: ['rust'] },
|
|
1403
|
+
{ method: 'metadata', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0], languages: ['rust'] },
|
|
1404
|
+
{ method: 'symlink_metadata', type: 'path_traversal', cwe: 'CWE-22', severity: 'medium', arg_positions: [0], languages: ['rust'] },
|
|
1383
1405
|
// Tokio async fs
|
|
1384
1406
|
{ method: 'read_to_string', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|
|
1385
1407
|
{ method: 'write', class: 'fs', type: 'path_traversal', cwe: 'CWE-22', severity: 'high', arg_positions: [0] },
|